Windows 2000 Active Directory Global Vs. Local Permissions

I have a company in UK that wants to have the ability to grant accounts but account access will need to be managed locally in the USA. (The accounts will need to be managed in its entirety from the UK. However, access will be managed locally in the USA.) The UK office cannot have access into the US network at all. Can someone explain if this can be done? If so, how do we do it? The question becomes, "Can the UK office manage accounts and be locked out of the US network if they still control the creation of accounts from the UK?"

In the US domain, create domain local groups used to grant access to the shares (e.g. a group called 'Accounts Files'). Admins in the US can then grant this group the permissions to the local resources.

In the UK domain, you create a global group, say 'Accounts Users', and place your users into this group.

The US admin then places your global group 'Accounts Users' into 'Account Files', thus granting your users access to the resources in the US domain.

That way, the US admin has control over the level access to the resources the group has, while you have control of who gets that level of access.

The UK office cannot access the US network at all. In other words, the UK creates user accounts but the US manages the access to the network and must block out the UK users from accessing any US resources.

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

As I said, you don't need access to each others domain. Are we talking two domains? Basically the US has resources that it wishes to control access to?
- The US creates a domain local group and grants this group the required level of access.
- The UK creates users and puts them into a global group.
- The US then adds this global group to the domain local group, thus granting it's members access.
- If the US wants to change or restrict the access granted, they change the permissions granted to the domain local group, thus granting/changing access of the UK users.

0

jodie888Author Commented: 2009-05-26

Thanks for your reply.

We are talking the same domain (UK and US in the same domain). I guess what I am confused about is how can I keep the UK out of US directories if they are the ones controlling the creation of accounts? Could they override my settings in the US if they needed or wanted to? All the accounts would be created in the UK but US will control access. But if UK creates the accounts couldn't they also delete these accounts? Could they not gain access into the network as well?

In that case, you would need to place the domain local groups (which are granted the access to the resources) in an OU, which the UK has no control over. You can create a global group to contain the US admin user accounts, add this group to the security tab of the OU, then remove the rights of 'Domain Admins' . By default, Domain Admins have full control over all of the domain, but you can change this so that only a specified group does.

This would mean that only this group has control over this OU. You can then create and maintain the domain local groups in this OU. The UK can still create accounts, but only the US can place those users into the required domain local groups to grant them access to certain resources. Also change the owner of the OU to your group so that the UK domain admins cannot re-add themselves.

Check the security tab in the properties of an OU. You can grant/remove permissions similar to how you would for a file/folder. You can be more granular also in the 'Advanced' tab, where youu could grant a group the right to create new objects, but not to delete them.

0

jodie888Author Commented: 2009-05-27

Thanks to Tony for clarifying what I needed. He was very responsive and extremely helpful. Kudos to you... thanks for the knowledge!

Featured Post

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.